b'NATIONAL CREDIT UNION ADMINISTRATION\n    OFFICE OF INSPECTOR GENERAL\n\n\n\n                 OIG REPORT TO OMB ON THE\n           NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\n                    COMPLIANCE WITH THE\n               FEDERAL INFORMATION SECURITY\n                     MANAGEMENT ACT\n                            2008\n             Report #OIG-08-07       September 24, 2008\n\n\n\n\n                         William A. DeSarno\n                          Inspector General\n\n\n    Released by:                       Auditor-in-Charge:\n\n\n\n\n    James Hagen                       W. Marvin Stith, CISA\n    Asst IG for Audits                Sr Information Technology Auditor\n\x0c               OIG REPORT TO OMB ON THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\n             COMPLIANCE WITH THE FEDERAL INFORMATION SECURITY M ANAGEMENT ACT - 2008\n                                       Report #OIG-08-07\n\n\n                                            CONTENTS\n\n\n\n\nSection                                                                                Page\n\n    I       EXECUTIVE SUMMARY                                                            1\n\n    II      OFFICE OF MANAGEMENT & BUDGET REPORT FORMAT                                  2\n\nAppendix\n   A     Independent Evaluation of the NCUA Information Security Program \xe2\x80\x93 2008\n\n    B       NCUA Financial Statements Audit \xe2\x80\x93 FY2007\n\n\nAppendix A is Audit Report OIG-08-08 dated September 24, 2008.\n\nSection II and Appendix B are limited to restricted official use only.\n\x0c             OIG REPORT TO OMB ON THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\n           COMPLIANCE WITH THE FEDERAL INFORMATION SECURITY M ANAGEMENT ACT - 2008\n                                     Report #OIG-08-07\n\n                             I. EXECUTIVE SUMMARY\nThe Office of Inspector General (OIG) for the National Credit Union Administration\n(NCUA) engaged Grant Thornton LLP to independently evaluate its information systems\nand security program and controls for compliance with the Federal Information Security\nManagement Act (FISMA), Title III of the E-Government Act of 2002.\n\nGrant Thornton evaluated NCUA\xe2\x80\x99s security program through interviews, documentation\nreviews, technical configuration reviews, social engineering testing, and sample testing.\nWe evaluated NCUA against standards and requirements for federal government\nagencies such as those provided through FISMA, National Institute of Standards and\nTechnology (NIST) Special Publications (SPs), and Office of Management and Budget\n(OMB) memorandums. We conducted an exit conference with NCUA on July 23, 2008,\nto discuss evaluation results.\n\nThe NCUA has worked to further strengthen its information technology (IT) security\nprogram during Fiscal Year (FY) 2008. NCUA\xe2\x80\x99s accomplishments during this period\ninclude:\n\n      Implementing OMB guidance in managing privacy and breach notifications.\n      Ninety-seven percent of NCUA employees completed annual security awareness\n      training.\n\nWe identified six areas remaining from last year\xe2\x80\x99s FISMA evaluation that still need\nimprovement:\n\n      NCUA has not adequately established segregation of duty controls for its\n      applications.\n      NCUA has not completed E-Authentication risk assessments for its systems.\n      NCUA has not completed security controls testing for one of its FISMA systems.\n      NCUA does not have a formal agency-wide security configuration guide.\n      NCUA has not updated its employee enter/exit/change procedures.\n      NCUA has not implemented continuing education requirements for its IT\n      employees.\n\nIn addition, we identified four new findings this year where NCUA could improve IT\nsecurity controls:\n\n      NCUA\xe2\x80\x99s System Software Change Procedures needs improvement.\n      NCUA vulnerability management needs improvement.\n      NCUA lacks a comprehensive contingency planning program for its FISMA\n      systems.\n      NCUA\xe2\x80\x99s Plans of Action and Milestones (POA&M) process needs improvement.\n\nWe appreciate the courtesies and cooperation provided to our auditors during this audit.\n\n\n\n                                             1\n\x0c'